Show advisories for only Drupal Core, only contributed projects, or only PSAs

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

Date: 
2023-February-01
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places.

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

Date: 
2023-January-18
Security risk: 
Moderately critical 13 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

This module enables you to use the media library in custom forms without the Media Library Widget.

The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

Date: 
2023-January-18
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible media will only be visible to users who can already edit content that includes a media reference field.

This advisory is not covered by Drupal Steward.

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

Date: 
2023-January-18
Security risk: 
Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The Media Library Block module allows you to render a media entity in a block.

The module does not properly check media access in some circumstances. This may result in unauthorized users (including anonymous users) seeing media items they are not authorized to access if a block containing a restricted media item is placed on the page.

Administrators may mitigate this vulnerability by removing blocks referencing media items that have access restrictions.

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

Date: 
2023-January-18
Security risk: 
Moderately critical 12 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.

The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Date: 
2023-January-11
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

Date: 
2022-December-14
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.

The module's default configuration could temporarily expose private files to anonymous visitors.

Important note: to fix the problem, database updates must be run in addition to updating the module.

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Date: 
2022-December-14
Security risk: 
Moderately critical 12 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

Date: 
2022-December-07
Security risk: 
Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

This module enables you to create registration entities related to nodes.

The module doesn't sufficiently restrict update access to a user's own registrations.

This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Date: 
2022-November-30
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default

Social Private Message module allows users on the platform to allow users to send private messages to each other.

The module does not properly perform the correct access checks for certain operations.

Pages

Subscribe with RSS Subscribe to Security advisories